Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  February 13, 2015 8:00pm-10:01pm EST

8:00 pm
o that. with that this committee will stand adjourned. thank you. >> up next, some of today's white house cyber security summit in california, beginning with president obama talking about information sharing between government and private industry. then homeland security secretary jeh johnson discusses the same issue with business leaders from american express pacific gas and electric and kaiser permanente. and later the ceo's of master card aig and bank of america, sit down with congress secretary penny pritzker for a discussion of on what companies can do to better protect against cyber attacks. >> president obama signed a new executive order today at a white house cyber security summit. the order makes it easier for the government and private
8:01 pm
industry to share information on cyber threats. before signing, the president talked about why it was important to address the issue now. he also spoke about the government's attachment to keep people safe while -- attempt to keep people safe while protecting civil liberties and privacy. this is 30 minutes. >> ladies and gentlemen, to introduce the president of the united states please welcome, stanford university president, john hennessey. [applause] >> welcome back. it's now my great privilege to intro our nation's 44th 44th president, barack obama. president obama came to office just after the global financial crisis in 2008. his presidency has been marked by the complexity and challenges of governing at a time when people are more interconnected
8:02 pm
than ever. sometimes in ways we don't even realize. and the idea of community extends far beyond physical boundaries. so many aspects of our lives have been digitized and technology is central to almost everything we do. but our increasing reliance has been accompanied by growing vulnerability, and as many of us have seen and heard in the panels prior those, the situation is getting much worse at an increasing rate. president obama understands this. in fact, he has personal experience with the challenges of cybersecurity. an avid black berry user and the first u.s. president to be always connected, he had to face the challenge of losing -- forfeiting his blackberry or having the security improved. luckily the security was
8:03 pm
enhanced and president obama could remain always connected. throughout his administration, from the early issuance of the cyber space policy review to the 2011 international strategy for cyber space to today's white house summit on cybersecurity and consumer protection, president obama has made -- has worked to make cybersecurity a national priority to protect consumers and their data and to strengthen our laws and our policies. we are honored to have him with us today. please join me in giving a warm stanford welcome to president president barack obama. [cheers] >> hello stanford! [cheering] >> thank you so much. thank you.
8:04 pm
thank you so much. thank you everybody. have a seat. have a seat. yes, we can. [cheering] first of all, let me thank president hennessey for not just the introduction but for your outstanding leadership at one of the great universities of the world. [cheering] >> i've got to admit i kind of want to go here. [laughter] i was trying to figure out why it is that a really nice place like this is wasted on young people. [laughter] who don't fully appreciate what you got.
8:05 pm
it's really nice, and everybody here is so friendly and smart some it's beautiful. what's there not to like? i want to thank you and everybody at stanford for hosting this summit. especially amy zegart, george and someone who served as a great adviser to me at the white house, and as an outstanding ambassador to russia before coming back to the farm mike mcfall. [applause] >> it is great to be here at leyland stanford, jr. university. and i'm pleased to be joined by membered of my team who bleed cardinal red. we're infiltrated with stanford people. we have senior adviser valerie
8:06 pm
jarrett. national security adviser susan rice. secretary of commerce penny pritzker. and let's face it, i like stanford grads. i notice steve chu was around here, who helped lead our energy department for a while. and he is now hanging out. i'm also pleased to be joined by other members of my cabinet. our secretary of homeland security, jeh johnson is here. and our small business administrator maria contreras-sweet, and i want to acknowledge my tireless homeland security adviser who helped and continues to shape our cyber security efforts, lisa. thank you. so, i'd always heard about this campus and everything is riding bikes and people hopping into
8:07 pm
fountains and the current holder of the axe. [cheering] a place that made nerd cool. i was thinking about wearing some black rimmed glasses, some tape in the middle. that's not what you do anymore. as i came to stanford, i was told you'd talk nerdy to me. but i'm not just here to enjoy myself. as we gather here today america is seeing incredible progress we can all be proud of. we just had the best year of job growth since the 1990s. over the past 59 months -- [applause] -- the past 59 months our businesses have created nearly 12 million new jobs, which is
8:08 pm
the longest length of private sect juror job growth on record and a hopeful sign for medsle class families wages are beginning to rise again. we're doing more to prepare our young people for a competitive world. high school graduation rate is at an all-time high. more americans are finishing college than ever before. here at stanford and across the country we have the best universities the best scientists the best researchers in the world, the most dynamic economy in the world, and no place represents that better than this region. so make no mistake, more than any other nation on earth the united states is positioned to lead in the 21st century. and so much of our economic competitiveness, is tied to what brings me here today and that is america's leadership in the digital economy. it's our ability, almost unique
8:09 pm
across the planet, our ability to innovate and to learn and to discover and to create and build and do business online. and stretch the boundaries of what is possible. that is what drives us. and so when we had to decide where to have this summit, the decision was easy, because so much of our information age began right here. at stanford. it was here where two students bill hewlett and dave packard met, and then in the garage not far from here started a company that eventually built one of the first personal computers, weighing in at 40 pounds. it was from here in 1968 where a researcher douglas englebart, astonished an audience with two computers connected online and click on with something called a
8:10 pm
mouse. a year later, a computer here received the first message from another computer 350 miles away. the beginnings of what would evenly become the internet -- eventually become the internet and it's no eek credit these innovations built on government-funded research is one of the reasons that if we want to maintain our economic leadership in the world, america has to keep investing in basic research and science and technology. it's absolutely critical. [applause] here at stanford pioneers developed the protocols and architecture of the internet the dsl, the first web page in america. innovations for cloud computing. student projects here became yahoo and googling. those were pretty good student projects.
8:11 pm
your graduates have gone on to help create and build thousands of companies that have shaped our digital society, from cisco to sun microsystems, youtube to instagram, stub hub. according to one study, if all the companies traced back to stanford graduates formed their own nation you'd be one of the largest economies in the world and have a pretty good football team as well. [applause] and and today with your cutting edge research programs and new cyber initiatives your helping us navigate some of the most complicated cyberber challenges we face as a nation. i want to thank all of you kuo joined us today, members of come renttives from the private seconder academia privacy and consumer groups, and especially
8:12 pm
the students who are here. just as we're all connected like never before we have to work together like never before both to seize opportunities but also to meet the challenges of the information age. and it's one of the great paradoxes of our time. that the very technologies that empower us to do great good can also be used to underminus. and inflict great harm. targeted by hackersom china and rich who go after our defense contracts and systems built for our troops. the same social media we use in government to advocate for democracy and human rights around the world can also be used by terrorists to spread hateful ideologies. so the cyber threats are a challenge to our national security. much of our critical
8:13 pm
infrastructure, our financial systems, our power grid, health systems, run on networks connected to the internet, which is hugely empowering, but also dangerous. and creates new points of vulnerability that we didn't have before. foreign governments and criminals are probing these systems every single day. we only have to think of real life examples. air traffic control system going gown and disrupting flights or blackouts that pluck cities into darkness. imagine what a set of systemic cyber attacks might do? so this is also a matter of public safety. as a nation we do more business online than ever before. trillions of dollars a year. and high-tech industries like those across the valley support millions of mesh jobs. all this gives us an enormous
8:14 pm
competitive advantage in the global economy and for that very reason american companies are being targeted. their tread secrets stolen. -- their trade secrets stolen, intellectual property ripped off. the north korean cyber attack on sony pick tires destroyed data and disabled thousands of computers and exposed personal information of sony employees, and these attacks are hurting american companies and costing american jobs. this is also a threat to america's economic security. as consumers we do more online than ever before. we manage our bank accounts. we shop. we pay our bills. we handle our medical records. and as a country one of our greatest resources are the young people who are here today. digitally fearless and -- uneven culpbered and remaking the world
8:15 pm
every day but it also means that this problem of how we secure this digital world is only going to increase. i want more americans succeeding in our digital world. i want young people like you to unleash the next waves of innovation and launch the next startups and give americans the tools to create new jobs and new businesses and to expand connectivity in places we currently can't imagine to help open up new worlds and new experiences and empower individuals in ways that would seem unimaginable ten 15, 20 years ago. that's why we're working to connect 99% of america's students to high-speed internet because when it comes to educating our children we can't
8:16 pm
afford digital divide. that's why we're helping more communities get across to the next generation of broadband faster with cheaper internet, so that students and entrepreneurs and small businesses across america, not just in pockets of america, have the same opportunities to learn and come pete as you do here in the valley. it's why i've come out so strongly and publicly for net neutrality. for an open and free internet. [applause] because we have to preserve one of the greatest engines for creativity and innovation in human history. so our connectivity brings extraordinary benefits to or daily lives and also brings risks. when companies get hacked americans' personal information including their financial information, gets stolen identity theft can ruin your credit rating turn your life upside down.
8:17 pm
in recent breaches more than 100 million americans had their personal data compromised including in some cases credit card information. we want our children to go online and explore the world but also want them to be safe and not have their privacy violated. so there's a direct threat to the economic security of american families not just the economy overall, and to the well-being of our children which means we have to put in place mechanisms to protect them. shortly every took office, before i had gray hair, i said that these cyber threats were one of the most serious economic national security challenges that we face as a nation and i made confronting them a priority. given the complexity of the threats, i believe we have to be guided by some basic principles. so let me share those with you today. first this has to be a shared mission.
8:18 pm
so much of our computer networks and critical infrastructure are in the private sector which means government cannot do this alone. the fact it that private sector can't do it alone either because the government has the latest information on new threats. there's only one way to defend america from these cyber threats and that is through government and industry working together, sharing appropriate information, as true partners. second, we have to focus on our unique strength. government has many capabilities but it's not appropriate or even possible for government to secure the computer networks of private businesses. many of the companies who are here today are cutting edge. but the private sector doesn't always have the capabilities needed during a cyber attack. the situational awareness or ability to warn other companies
8:19 pm
in real-time or the capacity to coordinate a response across companies and sectors. so we have be to smart and efficient and focus on what each sector does best and then do it together. third, we have to constantly evolve. the first computer viruses hit personal computers in the early 1980s, and essentially we have been in a cyber arms race ever since. we design new defenses, and then hackers and criminals design new ways to penetrate them. whether it's fishing or botnets spy ware malware, and now ransom ware these attacks are getting more and more sophisticated every day so we have to be just as fast and flexible and nimble in constantly evolving our defenses. and fourth, and most importantly, in all of work we have to make sure we are protecting the privacy and civil liberty of the american people.
8:20 pm
we grapple with these issues in government. we pursued important reforms to make sure we are respecting people's privacy as well as ensuring our national security. and the private sector wrestles with this as well. when consumers share their personal information with companies, they deserve to know that it's going to be protected. when government and industry share information about cyber threats, we have to do so in a way that safeguards your personal information. when people go online we shouldn't have to forfeit the basic privacy we're entitiled to as americans. in recent years we have worked to put these principles into practice and as part of our comprehensive strategy we boosted our defenses in government, we're sharing more information with the private sector to help those companies defend themselves, we're working with industry to use what we
8:21 pm
call a cyber security framework to prevent, respond to and recover from attacks when they happen. and by the way, i recently went to the national cyber security communications integration center where representatives monitor cyber threats 24/7. so defending against cyber threats, just like terrorism or other threats, is one more reason that we are calling on congress, not to engage in politics -- this is not a republican or democratic issue -- but work to make sure that our security is safeguarded and that we fully fund the department of homeland security because it has great responsibilities in this area. so we're making progress. and i've recently announced new actions to keep the momentum weapon called for a single national standard so americans know within 30 days if your information has been stolen.
8:22 pm
this month we'll be proposing legislation we call a consumer privacy bill of rights. to give americans some baseline protections like the right to decide what personal data companies collect from you, and the right to know how companies are using that information. we proposed the student digital privacy act which is modeled on the landmark law here in california, because today's amazing educational technologies should we used to teach our students and not collect data for marketing to students. and we have also taken new steps to strengthen our cyber security proposing new legislation to promote greater information sharing between government and the private sector, including liability protections for companies that share information about cyber threats. today, i'm once again calling on congress to come together and get this done. and this week we announced the creation of our new cyberthreat intelligence integration center.
8:23 pm
we'll have a single intent analyzing and -- so we can act on the threats even faster. today we're taking an additional step, which is why there's a -- i'm signing a new executive order to promote even more information sharing about cyber threats, both within the private sector and between government and be private sector and will encourage more countries and industries to set up organizations, hubs, to share information with each other. it will call for a common set of standards, including protections for privacy and civil liberties so the government can share information with the hubs more easily and it can help make it easier for companies to get the classified cyber security threat information they need to protect their companies. i want to acknowledge the companies who are represented here are stepping up as well.
8:24 pm
the cyber threat alliance, which includes companies like pool networks and semantic are going to work with us to share more information under this new executive order. you have cos from apple to intel, from bank of america to pg&e, who are going to use the signber security framework to strengthen their own defenses. as part of our buy secure initiative visa and mastercard and american express and others will make they're transaction -- make their transactions more secure. innings in star is giving companies another weapon to battle identity theft and that's free access to their credit scores. and more companies are moving to now, stronger technologies to authenticate user identities like biometrics because it's just too easy for hackers to figure out user names and passwords like, pass purdue.
8:25 pm
-- password, or 123457. [laughter] those are some of my previous passwords. i changed them since then. [applause] so, this summit is an example of what we need more of. all of us working together to do what none of us can achieve alone. and it is difficult. some of the challenges i described today have defied solutions for years. and i want to say very clearly that as somebody who is a former constitutional law teacher and somebody who deeply values his privacy and his family's privacy, although i chose the
8:26 pm
wrong job for that, but we'll be a private citizen again and cares deeply about this. i have to tell you that grappling with how government protects the american people from adverse events, while at the same time making sure the government itself is not abusing its capabilities is hard. the cyber world is the wild wild west and to some degree we're asked to be the sheriff. when something like sony happens, people want to know what can government do about there is? if information is being shared by terrorists in the cyber world, an attack happens, people want to know are there ways of stopping that from happening? by necessity that means
8:27 pm
government has its own significant capabilities in the cyber world but then people rightly ask what safeguards do we have against government intruding one on our own privacy? it's hard. and it constantly evolves because the technology so often outstrips whatever rules and structures and standards have been put in place. which means the government has to be constantly self-critical and we have to be able to have an open debate about it. but we're all here today because we know that we're going to have to break through some of these barriers that are holding us back if we are going to continue to thrive in this remarkable new world. we all know what we need to do. we have to build stronger defenses and disrupt more attacks. we have to make cyberspace
8:28 pm
safer. we have too improve cooperation across the board and by the way, this is not just here in america but internationally. which also makes things complicated because a lot of countries don't necessarily share our investments -- our commitment to openness and we have to try to navigate that. this should not be an ideological issue, and that's one thing i want to emphasize. this is not a democratic issue or a republican issue, not a liberal or conservative issue. everybody online and everybody is vulnerable. business leaders here want their privacy, and their children protected, just like the consumer and privacy advocates here want america to keep leading the world in technology and be safe from attacks. so i'm hopeful that through this forum and the work we do subsequently that we're able to generate ideas and best
8:29 pm
practices, and the work of this summit can help guide our planning and execution for years to come. after all we're just get can started. think about it. tim -- from his lab in switzerland invenned the world wide anybody 1989 only 26 years ago. the great ethics in human history, the bronze age i-age, agricultural refer luigs industrial revolution. they've spanned centuries. we're only 26 years into this internet age. we have only scratched the surface, and as i guess they say at google future is awesome. we have not even begun to imagine the discoveries and innovations going to be
8:30 pm
unleashed the decades to come. but we know how we'll get there. reflecting on his work in the 1960s on -- a precurse are of the internet, the late paul barren said this. the process of technological development is like building a cathedral. over the course of several hundred years new people come along and each one lays down a block on top of the old foundations, each saying i built the cathedral. and then comes along an historian who asks who built the cathedral? and barren said if you're not careful you can con yourself into believing you did the most important part, but the reality ills that each contribution has to follow on to previous work. everything is tied to everything else. the innovations that first appeared on this campus, that
8:31 pm
first mouse, that first message helped lay a foundation. and in the decade since, on campuses like this and companies like those that are represented here new people have come along, each laying down a block, one on top of the other. and when future historians asked, who built this information age it won't be any one of white house did the most important part alone. the answer will be, we all did? i am confident if we keep working together in a spirit of collaboration, like all those innovators before us, our work will endure. ...
8:32 pm
[applause] thank you. [applause] i don't really need to sit down because it's right here. [laughter] it is a little formal. i have to do this so that everybody gets a pen.
8:33 pm
thank you very much everybody. [applause] ♪ ♪ homeland security secretary jeh johnson moderated discussion that included the ceos of american express. they talk about the public-private sector working together with cyber threats.
8:34 pm
this is 45 minutes. [applause] >> good morning everybody. i think we can do better than that. come on. [applause] thank you there we go. the students are here. that's terrific. you know before we get started i have to say this. this is truly a beautiful campus. every time i come here i'm just amazed. you all can go to school here. you are so fortunate. i was walking around campus unfortunately a lot of men in business suits around here are quite conspicuous. a lot of secret service agents in suits on this campus that are quite conspicuous. this morning reminded me of the fact that i have two college students kids who go to school in southern california.
8:35 pm
my daughter has instructed me that whenever i come visit her on campus i am to dial back as much of the entourage as possible. don't embarrass me dad so i tried to do that a couple of months ago, last fall. i went to visit my daughter on her college campus. i discovered and this is relevant to this discussion. i discovered that there is a tool, a chat tool that college students use on campus where they communicate anonymously about things -- [laughter] if there's somebody in the backroom somewhere that cleans somewhere that claims about the things going on on campus. class is canceled or there is a party here or something like that. so i went onto campus to visit my daughter and i did was i was
8:36 pm
instructed to do an dial back the entourage but it did not work. immediately this chat room led up. hey, there are two secret service agents on campus. what up? [laughter] somebody responded president obama is here. [laughter] somebody reply he is not here. he is not even in the state today, calm down. the next one, his daughter is looking at us for school. no, calm down. she's not old enough yet. my son is with us on my daughter's college campus and my son figured out how to hack into the conversation and my son can't resist making a little fun of dad. you know they still cared about the fact that i have an ipod and so my son hacked into the conversation and said hey it's a vin diesel look-alike.
8:37 pm
[laughter] why does he need armed guards? somebody finally figured out and they said no its a fake obama chief of homeland security's daughter goes to college here don't you know that? somebody said that's too bad, she will never get a date in four years. [laughter] so we are here at stanford. dr. hennessy thank you for hosting us to talk about the all important discussion of the subject of public-private collaboration and this panel in particular in cybersecurity. the discussion is critical and timely for the reasons that you heard lisa spell out. at the department of homeland security my department we are responsible for counterterrorism counterterrorism, aviation security, maritime security voter security protection of our national leaders, coast guard and administration of our
8:38 pm
immigration laws and last but not least cybersecurity. cybersecurity is a top priority of our department. it is a top priority of mine. at dh as we are responsible for securing the world as well as partnering with the private sector in mitigation prevention of cyberattacks and information sharing. last month the president came to dhs to announce our administration's legislative priorities in cybersecurity. the congress late last year passed some pretty good cybersecurity legislation. they actually do things once in a while to beef up the role of our national cybersecurity communications and integration center called the nccic which is sort of a centerpiece of my
8:39 pm
department's cybersecurity mission. we have announced to the administration that we want to formally enter legislation codified the nccic as the single point of entry for private sector into the federal government through the nccic. we have announced their support for limits on civil and criminal liability for those in the private sector who share with the nccic cybersecurity information cyberthreats indicators with the government, with my seau and the president will talk about that later on. we wanted to encourage information sharing with the private sector given so much cybersecurity resides with some of the people you see here on this panel. it needs to be a shared partnership and a shared relationship. in this dare i say post---
8:40 pm
environment it is critical for us to strengthen the dialogue and that is much of what this conference is about. the last thing i will say before introduced the panelists, as many of you know here i have to say this in front of any public audience i speak to these days, any opportunity i can before the press and the public. the department of homeland security which has as part of its mission in cybersecurity is operating on a continuing resolution right now which expires on february 27. as long as we are on acr we are severely restricted in how we spend money, how we spend money on new initiatives so every opportunity i get i am urging our congress to pass and enact a full year's appropriations bill for homeland security of this nation. it is critical particularly in these times. so let me introduce the
8:41 pm
panelists. to my immediate right is my good friend, chairman and ceo of american express in addition to being my good friend. he was my fraternity brother and is on on the board of directors of ibm, proctor & gamble and is a trustee of the world trade center -- to his immediate right is tony early's chairman and ceo of pg&e. tony is on the board of directors of united way and numerous other boards. mark mclaughlin chairman and ceo of the rapidly growing palo alto network cybersecurity firm. mark is also a west point graduate class of 1988 and a former attack helicopter pilot which is really cool. mark serves on -- he looks like an attack by their
8:42 pm
pilot. mark serves on the telecommunications advisory committee. thank you for your service. his immediate right is bernard tyson chairman and ceo of kaiser permanente. he spent more than 30 years at that company in positions ranging from ceo to administrator of hospitals and has dedicated much of his work to eliminating health care disparities on individuals in this country. last but not least dr. elizabeth randall one of my best friends in the obama administration. deputy secretary of energy. prior to that she was special assistant to the president and white house coordinators for defense policy. dr. sherwood randall is a rhodes scholar. her principle claim to fame in this audience is that she was secretary -- college roommate.
8:43 pm
we run out of time we will ask liz a few questions about that experience. so having said all that let me turn it over to the panelists for a few remarks. >> thank you mr. secretary and thank you friends. let me first go up 100000 feet to talk about this issue of cybersecurity and consumer protection. one of the very important points that i make at our company american express is that trust is really what holds us together and that is what holds our society together. what we are really talking about when they talk about cybersecurity and consumer protection is really trust. that is the bone for all of us. i think what is very important about the tension that is playing out now and it's something that i emphasize in our company is we like -- have
8:44 pm
to be focused on what i call constancy of values. what are the values of this country? were accompanied those values are trust, service integrity and threw 165 years of reinvention we have to adhere to those values. that is what we have to do with the threat of cybersecurity as we cannot allow that threat to in fact change the constancy of values that are so essential to the future of this nation. so we have to have constancy of values with constancy of reinvention because that is what has made america great. and so those two points i think are very critical before i go into some of my prepared remarks which i thought jeh since i
8:45 pm
would fulfill the time requirement would be much better that i put something down on paper. so as we have all talked about, the threats that we face are increasingly challenging increasingly complex and they are changing every second. and so all of us on this panel take these threats very seriously and we have spent an incredible time of and resources and i think it's very important that both the tone and substance from the top has to be very very strong. in the context of collaboration i really think that information sharing may be the single highest impact lowest cost and fastest way to improve the capabilities we have at hand as
8:46 pm
a nation to accelerate our overall defense and buried in increasing threats that we are facing every second. for instance through the financial services information sharing and analysis center we work closely with various federal state and local government agencies to quickly disseminate physical and cyber threat alerts and other critical information. our industry has been effective idea and much of that has to do with the close collaboration that we have with our government partners. in addition to iysac we work closely with the government there are senior coordinating council and the national cyber forensics and training alliance based in pittsburgh. now these partnerships help us
8:47 pm
defend our networks from cyberattacks but their capabilities could be dramatically enhanced. consider these numbers. we service over 100,000 attack indicators yearly from various sources yet only 5% comes from industry sharing through isac and less than 1% comes from the government. in order to incentivize the greater industry sharing we need to pass legislation that provides liability protection for private-sector sharing and channels government resources more effectively. the government needs to aggressively share with the private sector in an appropriate manner the indicators of attack.
8:48 pm
this is critical to helping the private sector better defend itself. with these changes, we would greatly enhance the timeliness and quality of threat information. in addition to information sharing around cyber threat the public and private sector should continuously partner to illuminate barriers. now i will give you an example of a common sense and simple change to an old regulation that would show an immediate benefits for consumers and consumer protection. we constantly communicate with our members about potential fraud on their accounts. we reach them from a variety of channels, their home phone the
8:49 pm
internet, the mx app and text messaging. there is a law from the early 1990s that limits our ability to contact american express card numbers and this applies to the industry overall via mobile phones. as a result we are not allowed to send fraud alerts via text to more than 90% of our customers. yet for the universe we are allowed to text we received a reply within 60 seconds 35% of the time. this is real-time fraud protection. this capacity not just ours but the industry, would leap tenfold overnight with a single update to existing government regulations. it would have a measurable impact on fraud and it would
8:50 pm
help to reduce decline charges which are an annoyance. most of this audience has likely faced. the public and private sectors must partner to keep our laws and regulations current with the advances in technology. this is how we are going to be able to meet the objectives of constancy of values and constant reinvention. we need more cross industry and cross sector and cross partnership with government. so again mr. secretary i want to thank you for inviting me. i want to thank the president for this very important effort and the last that i would leave you with, i really do think this is fundamental to maintaining not only an orderly society but
8:51 pm
to make sure that we get it here to the values that made this country great. thanks. [applause] >> thank you mr. secretary for allowing me to represent the utility industry on this panel and i want to start by assuring you of the commitment that america's electric and gas companies to maintaining safe and reliable service. reliability and safety are part of our industry's dna. every time there is a hurricane every ice storm, every tornado we have a graphic reminder of the role that we play in and how are our society operates and impact we can have our national security. back in 2003 i was ceo of bt energy in detroit and we were in the middle of the great northeast blackout. i can assure you that neither i
8:52 pm
nor any other ceo in our industry wants to experience that empty feeling when you realize you have lost power to everyone and everything out there. can be really scary. our industry is incredibly self mochas -- self focused and electric and nuclear sectors are the only two sectors that have enforceable mandatory cybersecurity standards. our industry's commitment to cybersecurity i think is reflected in the active involvement of our ceos. back in 2009 i chaired the industry trade association that an electric institute and i recall we had our first briefing where the cios talk to ceos about coming trends in the computer era and started talking about cybersecurity. it was an eye-opening experience. i can tell you not a single meeting of ceos and their ceos meet four times a year,
8:53 pm
not a single meeting goes by where we are not focused on cybersecurity issues. that ceo involvement has really led to a public-private partnership with the government that has been very effective. it's a group called the electric sub sector coordinating council and interestingly this public-private partnership evolved out of some real-life experience in hurricane sandy in the northeast. it became immediately apparent that if the electric industry didn't coordinate with the department of energy and homeland security, with fema that we were going to have suboptimal response to the massive outages that occurred during superstorm sandy. in fact the president himself addressed the first conference call involving industry ceos and the various government agencies. i can tell you that his commitment to a collaborative approach made all the difference
8:54 pm
in the world and the effectiveness of the response to that storm. it was concluded that it works so well in the storm response when we try the same approach in dealing with cybersecurity issues and hands the est ce was formed. i think there are four areas that we have learned we need to focus on. i think this provides a good blueprint for other sectors in the economy. first, you have got to maximize the available tools of technology and this is an area for the government has far more effective tools in the private sector and it has been very refreshing to be able to cooperate with a series of government to have these tools and allow them to be used on our systems to help upgrade the security of our systems from a cyberstandpoint. second the importance of information sharing. how many of the horror stories around security breakdowns involves filing of information
8:55 pm
where one group doesn't know what the other is doing so we concluded that actionable intelligence and threat indicators have to be communicated between government and industry and it's got to be a two-way communication and it's got to be timely as ken said. thirdly can assume we are going to be able to stop everything so we need to build robust response plans and test those plans they so they're not just plans on paper. a joint exercise conducted in 2013 was a perfect example of such a test and further tests are planned for the future. and then the fourth thing that we have discovered that we need to have is cross-sectional cooperation and we learn this from sandy. we almost hit the ground all of our repair trucks because the lack of fuel. we now know while the electric sector plays a key role in our
8:56 pm
economy and the national security would also have to work with other sectors so we are working with telecom on information sharing and working with the rewards transporting or spare parts to where they are needed. the financial sector has experiences that are very relevant to our challenges and obviously the coordination between the electric sector in the natural gas sector is critical to keep our power plants up and running. i think those are lessons that can be taken and applied to another -- number of sectors in our economy. the last item i want to mention because i really have to emphasize this this work cannot be adversarial. we have enough adversaries out there. this has got to be like the new manhattan project were government and the private sector work together for a common goal, to combat these real and pernicious threats and i think we have a good start
8:57 pm
with what we are doing and i thank you for your leadership in moving this forward. [applause] >> thank you mr. secretary. i appreciate the chance to be here and speak on behalf of the security industry and the demonstrations ever to bring us together. it's obvious that cyber threats are real and systemic threat for every company and organization and essays. historically when that happens happens this as a result where everybody gets gathered and there may be differences but we figure out how to make it better for everybody in this summit is a perfect example of that. thank you for putting this together. we are in the business of trying to prevent these things. we know we can't prevent
8:58 pm
everything and we know that no individual company can prevent everything but we also know for sure that one of the best in effective ways to increase this prevention is to share information that we have all mentioned so far because of highly effective. at the end of the day the point of that is the more of this threat intelligence and information we are sharing the faster we all have it for companies and security companies and what that means for the bad actors is less of a chance that an attack is going to be successful opera period war broad range of companies and maybe his only successful months and no one wants to be patient zero but it reduces that. it dramatically reduces the cost and limits the number of factors and a lot of good things will occur from that. sharing is critical and we are seeing more and more. there a lot of acronyms flying around but i think it's simple in nature trying to get the public sharing. i think the administration's
8:59 pm
announcement for ctiic is a perfect example of her having public public information sharing and you have nccic public to private sharing is extremely helpful and at the private level there is lots of private sharing going on. you guys both mentioned the various isaf and the fsi sack has been incredibly effective for some time. one of the things i'm very happy about is the security industry coming together to do something like that. six months ago ourselves samantha mcafee and ford announced something called the cyber threat announcements which his competitors coming together to form a security interest isac so yours have a lot of vertical information that is helpful. this is a horizontal security viewpoint to share information among competitors so all of our customers can have that. 40 members joined this morning so we are happy about that and
9:00 pm
we invite every security company to be apart for the good of all customers. but of course getting all the information shared as fast as possible is a great outcome. in doing that it has to be done in a responsible manner. a lot of the discussion here will be about how can you do that without having companies face baseless liability but at the same time you can't -- and those are not mutually exclusive concepts and usually boil down to security versus privacy. those are not mutually exclusive concepts. there will be a difference of opinion but we won't get over that until we sit down and talk about them. i think that's a fantastic thing for all of us and again i appreciate the leadership on this and the chance to be here today. [applause]
9:01 pm
>> good morning and it's an honor to be here and it's an honor to have you here with us this morning mr. secretary. i want to welcome you again to sunny california where we enjoy the sun and we do need some rain but don't worry we still -- around here so welcome. and it's also privileged to be here at stanford. i didn't quite make it here what when i wanted to come but my wife did so i feel like i've become part of the staff. it's a great school. on a more serious note this is clearly a major issue for all of us and all of us in the country and in fact in the world. with within kaiser permanente we are a unique organization in the health care industry because i have an essence to business models inside of my organization. i have a health plan in which we
9:02 pm
provide insurance and coverage to almost 10 million americans and then a comprehensive delivery system in which we provide care to those 10 plus million americans plus the communities that weekly exists. the flow of information on both those continuums now in the 21st century sits on technology and as a result of that we have pretty much been able to provide real-time information to our positions, or caregivers, to our members when they needed and what form they needed for the type of health decisions that need to be made between the patient and the physician or the care team. the single biggest concern that our members have about about the
9:03 pm
beauty of the technology and the ability to move information freely is the security of that information and the confidentiality of that information because the research has shown that patient information is much more sensitive issue for the average person then financial information and that too is devastating. we spend a tremendous amount of time inside of her organization doing everything possible to keep the bad people out. god forbid if any of them get in how to -- which is a two-pronged approach which oversees for the company. i chair the governance committee committee. i spend at least two times a month in committing meetings with my top team. a report to the board about the work we are doing inside the
9:04 pm
organization. i'm spending millions and millions of dollars trying to figure out to make sure we have every thing available to secure this precious information on behalf of the american people and i share that information for any and everyone that i can in the industry to share lessons learned. so there is an infrastructure inside my organization which we are trying to every day and every night grapple with this issue. inside of her industry where coming together in different forms in which we are openly sharing what we are doing to try to secure the information across all of our organizations. so i view this next extension in question which is a public-private relationship as a natural and unnatural for me is we all have a common interest in the common interest is it doesn't matter what business is we run over and they want to secure the information or the good of the people who are
9:05 pm
putting their trust in our respective organizations and to make sure we maintain that trust at all times. so the interest is high from my perspective to be involved and engaged and the opportunities are high because the collective intelligence that we can bring to the table that benefits everyone i would argue is of common interest to each of us. and then finally i would say there are two incredible opportunities that i think we can have in the public-private relationship. the first one we all talked talk about which is the ability to share the information on what we know. to demonstrate to you how sensitized i am to the issue is a discredit to the beginning i have to be absolutely clear that i stayed i am not talking about sharing the actual content that
9:06 pm
i'm here to protect. it is sharing what i am learning about people who are trying to get to that content that i'm trying to keep up. it's important for me to say that because that is a sensitivity that i hear every single day. are you sharing my information with the wrong people? i think together in the public-private relationship we can effect a form in which we can continue to share with each other what we are learning and how we are addressing it. i think the second area thick cann touchdown earlier was his great example about the cell phone and text messaging. in the health care industry well-intentioned regulations were written for certain period of time in which it is now irrelevant in the day in which we live. and we need to have a forum in which we have a collective conversation about constructive
9:07 pm
change that will in fact advance our effort but yet assured in this case the american people that their best interest is being protected. i think that's the second area where the public-private partnership can be tremendously helpful. thank you very much. [applause] >> dr. sherwood randall. >> good morning and thank you jeh for your leadership on these critical issues. jeh and i met the day after the election in november 2008 when we joined the obama transition team in washington and indeed i came to that team from stanford where he spent 12 wonderful years based at the center for international security and cooperation and i'm thrilled to be back on the form today with all of you.
9:08 pm
[applause] so many friends in the audience. i'm just delighted to be here. what has kept me away from this magnificent place that i love so much has been the opportunity to work on her most difficult national security challenges including modernizing and securing our electric sector which powers our nation. as you know innovation that was born here in silicon valley has enabled the group to do more today than ever before through interconnected information technologies and industrial control systems and while this has empowered us to do so much this convergence of wireless communications and digital controls also creates huge new vulnerabilities. so i want to highlight two aspects of this, of the electric grid in which vulnerabilities are introduced by this
9:09 pm
interconnectivity. one is our industrial control systems and the others is an an in supply-chain vulnerabilities. industrial control systems including what we call supervisory control and data acquisition systems are the backbone of the energy sector. these systems allow users to monitor, gather and process data data in real-time as well as send commands that power the grid. we can send commands for example that will open and close fuel pumps or water pumps in remote locations using these systems but obviously this offers opportunities for our adversaries who would want to do us harm. second the supply-chain of the electric grid is vulnerable. electric companies don't make the parts and software that
9:10 pm
support what they do for us. their suppliers are diverse and much of what they procure his off the shelf so for example a company could be taking great hair -- care to an enhanced cyberdefenses but failed to audit the potential bumbled through these -- the vulnerabilities of software in a time and energy they have to put into doing that would be impractical. so supply-chain integrity and management has to be part of our cybersecurity protections. leaders in government, we don't have the opportunity just to admire a problem. we actually have to figure out what to do about is one of the reasons president obama called this meeting today at stanford is to talk with you all about what we want to do to identify practical solutions. the partnership that is highlighted at this summit between the federal government and the private sector is at the core of what we must do in
9:11 pm
government working with industry and brilliant people at universities like this across the energy industry to address cybervulnerabilities. president obama pointed out in his 2013 policy directive on critical infrastructure and resilience that energy and dedication systems enable all other infrastructures to function so if we don't protect the energy sector we are putting every other sector of the economy in peril. at the department of energy we are the day-to-day coordinator with industry on matters of security resilience incident response and planning. in government speak we are called the sector specific agency for the energy sector. that brings me to the core of this discussion which is the public-private partnerships and information sharing mechanisms that are indispensable to meet this challenge.
9:12 pm
getting started as deputy secretary a few months ago i have made this one of my highest priorities and indeed i chaired our department cybersecurity council. the fast is managing infrastructure is largely not government-owned. about 90% of it is privately-owned and so that means we have to work with owners and operators to rapidly elevate and sustained their cybersecurity capabilities as well as ours. tony early mentioned one of the most progressive partnerships we have is their energy sector coordinating council. ceos meet several times a year and already i have met with him twice in my first two months on the job. our efforts have resulted in the development and deployment of a number of information sharing measures and industry assessment tools as tony noted. i have also emphasized that is critical we coordinate with other sectors. tony mentioned this as well with the oil and gas sector and the
9:13 pm
transportation sector in the communications sector. one of the big challenges here is speed given the dynamic threat that we face and the e. o. the president has issued today reflects this. we have to have the government process that does not take too much time to share information about threats. we can't wait will on regulations to do with these cyber attacks. we are perpetually behind a threat and that's how we deal with that. our solution is to provide tools and information to companies in real-time so they can be aware of the risks that you noted that government may know first although honestly you may see the information person who systems and you need to report it to us so we can make others aware of what's happening. as soon as it's identified. in addition our department of energy has a number of extraordinary national labs. one of them his here at stanford.
9:14 pm
stanford linear accelerator. we do cutting-edge research on cyber and physical challenges to our critical infrastructure at a number of those labs. over the last several years 80% of the world's control system vendors have been tested through government-funded assessments at our idaho national lab for example. this testing is followed by design reviews and mitigation discussions with the vendor. indeed at idaho which i visited last week a 900 square mile grid scale test range exists which enables us to do real-world testing testing of the interdependencies of modern grid technologies and the evolving threats we face to critical infrastructure. we also conduct live exercises to train government and private sector cybersecurity experts on control system technologies at
9:15 pm
idaho national lab and help them to develop an understanding of what they can do to minimize and mitigate vulnerabilities. so we all know cybersecurity is going to remain a challenge into the future as we can see. secretary moniz and i have made this a high priority and indeed we are going to poke more than $100 million over this here next year towards cybersecurity of the nations electric grid. in closing i want to speak directly to the students are today. can you raise your hands? i understand there are a lot of you. when the president of the united states and many cabinet members and ceos of important companies come to your campus we hope we are going to inspire you to pursue careers that give you a chance to find a way to do public service. that can take many forms and you will blaze your own trails. indeed my 17-year-old son richard will join you here on
9:16 pm
campus as a member of the class of 2019 this fall. [applause] it's my hope that he will take up this call to action alongside you because we need your minds come your talent coming or innovation and your energy. the problems we are discussing today are some of the toughest that we face as a nation and that makes them the most worth working on. so an courage all of you to use the privilege of being at this extraordinary university to find ways you can play a part in inventing solutions that will help us keep our great country is strong and. thank you. [applause] >> thank you lives. that was great. i didn't even know her son was coming here next fall.
9:17 pm
in a few minutes we have remaining i want to ask one or two questions. mark let me put the first one to you. you are our cybersecurity expert as a rapidly growing firm in this area. ann represented up here kaiser permanente pacific gas & electric american express are probably pretty sophisticated themselves large public companies in terms of cybersecurity. what is your assessment of how smaller companies and smaller firms are doing in cybersecurity these days? >> i think the challenge for everyone. it's the same threats that are hitting large companies and small companies. bigger companies have designated infrastructure by organization but if you ask the ceo or an owner of a small company they
9:18 pm
definitely consider themselves critical to infrastructure so they are just as worried and concerned about this and rightfully so because they are subject to the task. a small company believes is not under attack just because it's not large like other companies and that's a mistaken assumption. they need to do things to protect themselves with technology people and process and that's becoming evident. this is where something like information sharing is very powerful for smaller companies because they will never be able to bring to bear the resources that some of the larger companies can. we all work together and all the information sharing we are talking about and benefits of small companies which employ more people than the big companies do so it is important for august. >> thank you very much. in the 30 seconds we have left but me take the moderators prerogative to close it out.
9:19 pm
i want to comment on something my fraternity brothers talked about. constancy of values. let me say to the audience particularly the students here we have homeland security recognize and believe and this is certainly true of myself that homeland security whether its border security, cybersecurity counterterrorism means striking a balance between basic fizzles -- physical security and the things we cherish as americans. our values in terms of freedom to associate, privacy, civil liberties the cherished diversity in this country. we cherish our heritage the part of homeland security is preserving the things that really make this country strong and great. i love to tell public audiences we can build higher walls and we
9:20 pm
can interrogate more people and scream more people and we can erect more cybersecurity but we should not do so at the cost of who we are as a nation. so thank you very much for listening and thank you panelist for the great discussion. [applause] [inaudible conversations] ladies and gentlemen please
9:21 pm
welcome secretary of commerce penny pritzker moderator for the second plenary panel on improving cybersecurity practices. >> well thank you for having us here today. first of all i am thrilled to be back on campus. i'm a graduate of the law law school in the business school so this weather is not a surprise to me nor a shock and it's lots of fun to be back home. my other comment about the previous panel is i really had no idea that secretary johnson was such a comedian and i'm looking forward to asking his fraternity brother a lot about his room when they were in the fraternity. secretaries go back and forthwith one another but anyway we are thrilled to be here today to talk about cybersecurity and how it affects the private
9:22 pm
sector. a year ago and a day powered administration release something that has been referred to earlier today called the missed cybersecurity framework. just as the national institute of standards and technology which is part of the department of commerce. we knew then when we released the framework as we know now that cybersecurity represents a challenge not just for critical infrastructure which is how the framework was originally created but also for economic security and as we have heard for national security. we recognize them as we still do today that the most effective way to combat the growing threats on our cybersecurity space is there a strong partnership between industry and government and the civil society. and that is who we have here today. i represent the government. some of our panelists are from industry and some from civil society.
9:23 pm
with the recent high-profile attacks that we have had from sony and anthem it's clear that cyber risk continues to grow and that we as a nation need to do more to strengthen our cybersecurity. that is why congress must pass the information sharing and data breach legislation and update our criminal code without delay. that is why the department of commerce is working with other federal agencies and other educational institutions on something called a national initiative for cybersecurity education which is aimed at filling the 210000 open cybersecurity jobs in the united states today. that is why president abominate cybersecurity a priority in his state of the union address last month and that is why our administration has convened a summit. our panel today is focused on
9:24 pm
the perspectives of leading american businesses and their ideas on helping firms to align their policies, their technologies and their day-to-day operations to better protect themselves and their customers from cyber threats. all of this is about the urgency of the problem that we know exist today yet a recent pricewaterhousecoopers survey found that only 45% of ceos are extremely concerned about the cybersecurity threats. i have to confess i'm amazed it's not 100% but our nist cybersecurity framework creates a common language to discuss cyber threats in a way to measure success for senior executives and their i.t. professionals. the goal of the framework is to help companies organizations,
9:25 pm
institutions protect their i.t. from cyber threats ensure business confidentiality safeguard individual privacy and civil liberties and catalyze the cybersecurity marketplace in the process. at its core the framework serves as a bridge between business leaders and information security professionals within their own organizations. it is through the framework that we designed with critical infrastructure in mind. any business though can use this framework to help manage your cybersecurity risk and many are are ready doing so. we are going to hear from our panelists about that. i'm someone who has spent 27 years in the private sector so i know as all of you in this room know that good risk management is essential for successful
9:26 pm
business and that is why companies from a variety of sectors are using the framework to help manage their cybersecurity risks including proctor & gamble walgreens aig, qvc, kaiser permanente. all of them are here with us today and it's also why major auditing firms like deloitte and pricewaterhousecoopers are using the framework to help their clients better manage their cybersecurity risks. so the fact is the digital world is embedded in our government in our cities, in our society and our businesses and our daily lives. as we know there were 3 billion households worldwide and somewhere between 7.5 and 10 billion items from toasters to thermostats do phones all on line and implications of the cybersecurity threat given those facts are vast. our discussion today is going to
9:27 pm
explore how business leaders and their boards are moving cybersecurity concerns to the forefront. this is an opportunity to learn how this critical issue is part of corporate planning, part of corporate communications, part of corporate governance, part of corporate operations so i'm really thrilled today to be joined by a number of business leaders. brian moynihan who is the ceo of bank of america. on jay who is the ceo of mastercard peter hancock who is the ceo of aig, renee james who is the president of intel and new low o'connor who is the ceo for the center for democracy and technology. so let's jump right into this. my first question when i is for you. what is your vision for how technology can create a more secure environment and protect data?
9:28 pm
>> thank you. we have been working on improving the baseline security and computing for about the last decade. billions of dollars of investment for sewer vision is really we would like to get just get a baseline of security for everybody and to that end you know we have made significant investments in the security industry but more importantly are moving forward with initiatives like giving away free mobile security, putting in multifactor authentication into all the computers, things we help consumers if it's there and available for them instead of forcing them to go out and make decisions about what they should put in and what is multifactor and what are these crazy things and just make it easier for them and raise the baseline. one of the statistics that was the most concerning to me even two years ago more than half of
9:29 pm
the computers in the world to go out go out with the security off off. those are the kinds of things that we have taken a lot of steps in our technology and industry as part of the security industry and computing industry to move that forward and to get a baseline. >> does that mean then that as i am buying a new piece of equipment that i'm going to be able to have my security just know it's there or does it mean we have a long way to go still with the technology being ubiquitous and a protective environmental or information? >> i would say i would give us half and intel speak which is to say in the next generation we are lucky to have a lot of collaboration from the software industry, from companies like apple and microsoft and others that are actually putting in security -- you can opt out of
9:30 pm
course but it's fair and lycos putting in mechanisms and hardware so it's a lot harder to break and makes the transactions safer. .. a lot of our customers are directly people like the banks.
9:31 pm
the individual carries a mastercard so there's a consumer customer, the bank customer the merchant there's the customer spectrum. the fact is, whether you paid with cash or you're paying with a card or a form or your biometric print, what you do want is safety and security in the transaction. you want to make sure you aren't getting something that comes at you that steals stuff phenomenon are -- from you. tell technology is changing the way businesses sale and consumers buy and shop and everything else. along with the changes, processes are changing too. they're trying to figure out how to break into the changing habits. what i learned from our consumer customers is they want two clear
9:32 pm
things aside from the safety and security. the first one is stop making me prove i am who i am. because there's just -- [applause] >> too many things to remember. and by the way these damn passwordses because of security change on a different day of the week so if you're working in a company and have nine passwords and change them nine different days and you can't use the same passwords nine times, which basically means you write it down on a sticky and stick it on your computer, the worst form of information security. so the passwords is gone. what they really want is identifying -- the previous question is going in that direction. everything from biometrics to new technology that looks at the underlying heart beat which identifies by wearing a bracelet that it is -- you tap the computer and year you're
9:33 pm
fully connected or your open your car and it starts your maps to your office and on the way to dunkin' doughnuts and pay with the mastercard automatically. that's where it's going, and takes away the pain of remembering the passwords and that will be where this will end up. there are challenges of privacy. there are challenges of a lot of information, a lot of people about you, which you may not want and those are opportunities to discuss -- talking with the presenters, but the fact is that that is the first one. the second one is you can use data and analytics in a really clever way and a smart way, with anonhighsed data to create a safety net one thing they're launching to -- enough data and
9:34 pm
enough predictive analytics you can do a lot with that. that's the second part. the third part is something they're launching with credit union to number of the silicone valley firms where you can use a combination of biometrics and retinal scan to get authentication, both at the point of sale and remotely. just about to launch that. if you do those two or the three things together beyond digital payments this is next stage of software. >> there is really data that is not something that can be discovered? >> so, the nature of data we get in our stream issue don't get your name when you use your card. i get a card number, dollar value, and a merchant code. so in fact i don't know it's you. but could i through collaborating with brian or somebody else find a way to triangulate back to you?
9:35 pm
probably. but you chose to have a relationship with bank of america when you took the card. you didn't choose to have a relationship with me. my perspective is, play the role of the consumer the consumer chose to have with you. if you chose to have a relationship with a bank or merchant you deserve to know -- i don't deserve to know that he does. so i'm very clever mitchell royals, and his role is, and together we can make a lot of stuff happen and with the merchant community, both working on one example. >> brian the multistakeholder process was used to create the framework, and we think it's been a big success but i think that we do not have sufficient engagement, multistakeholder engagement going on, and i'm concerned that policy debates that affect the digital economy, including cyber security, too often occur in silos. so what do you think is the role of the public private partnership how do you break down the silos and who should
9:36 pm
lead? >> i think inning this you have a framework if you look across the industry you see people looking at it and studying it and people adopting it. we're in a phase because we think it's good enough and gives you a common language and dialogue. on issues like that comprehensives are important, but the think that i agree with you, we make distinctions about large and small and make distinctions about critical infrastructure or not make distinctions about all the -- the answer is, everybody is in the tent because they all have access. the university has compute are power that can be used to attack other people so they got to be in the tent, and now does the power grid and mastercard. the issue is getting everybody in and then the sharing is very important and we got to figure out the liability structure, and that's to do still, how to have the liability, and take a law
9:37 pm
change, but everybody is in the tent with a comprehensive view and then you protect the people who share -- going to have a few comments on that but protect the people we share with the mission toite the right way you. actually can get that collaboration to help do it. then you get down to individual consumer behavior, and that's the type of thing ajay talked about, the individual usage and data and authentication. we're a long way from the co lab brace we need from the parties. we better than two years ago or five years but we have to keep pushing people in the room and it has to be comprehensive. >> where should that collaboration occur. >> ultimately has to occur with the government's imprim mature, because at the end of the day terrific amount of the information is going to be coming through the financial
9:38 pm
informations so there can be a private sharing but a certain amount has to go on outside and also an ability to warn us what is coming in an ability for us to find out what is coming at us has been used to be and can be decoded -- diffused faster. things like that are touchy critical and that takes the government. they spent the money and they have the authority and power in capabilities and they see the-it across -- it's still a small amount of stuff that going through the sharing than the amount of stuff that comes at you. >> the president, as you know put out legislation, a proposed legislation on a cyber security legislation that addresses the issue of not just notification about data breaches but more importantly, offering up
9:39 pm
liability protection for corporations that share with the government and that is -- one of the debates we have had is to make sure there is enough protection so there's meaningful sharing so we can really collaborate between the government private sector to address bad actors and bad actions without violating people's privacy, but instead trying to get at the threat. and that is the tricky thing, and it ultimately will take legislation in order to create the kind of protections. >> the -- somebody comes into a branch of a bank and is trying to rob it, we don't ask them a lot of questions why they're there and that's they're motive. we stop the robbery in cyberspace we start to get into that we have to think through. it's difficult but a if they're bad actors, they're bad actors
9:40 pm
can. we don't have to figure out why. >> so, peter, what is the role of insurance in the whole issue of cyber security? >> well, i think it is evolving. this is an industry that has been around for a long time, and some things just don't change. i was visiting a business in italy not lock ago, and i went to the museum of insurance and saw policies -- >> oh, no. >> we geeks will do all sorts of things for amusement. here was a policy dated 1670 for marine cargo and what was that insurance policy's purpose? to reduce the fear of some merchants exporting to another country. that has not changed. and so when i look at the potential that the use of data, the aggregation of data, to innovate house it's as
9:41 pm
profound as international trade was back then and the role of insurance is to mitigate fear, to empower the economy, and to quote fdr what do we have to fear but fear snifts insurance can, at the margin, mitigate that fear. today we insure 20,000 businesses and about 20 million individuals against cyber breach and identity theft. we've been doing it for a dozen years. it's still a tiny, tiny business, but through the early learning from the breaches, the claims, i think that there's a feedback loop of innovation where the insurance industry working together with government, can help the adoption of standards, including the naic, to better secure data. but the concept of insurance as a risk transfer is simply one part of the role. it's the advisory part the feedback loop where we choose to
9:42 pm
insure only people who put in robust controls, only people who have the right corporate culture to put an end to end view of where the weakest link in the chain might be in terms of securing their customers' data. >> part of what you're doing is if i'm running a business you're helping me do a better josh at my own cyber security so you feel your risk of loss is less because i'm a more sophisticated actor. >> absolutely. there's many many consult stands and advisers who are much more technically able than we are on this topic. the difference is we have skin in the game. if you get it wrong, we have to pay. so the nature of our advice is very much in a practical way. what statistically tends to be the result. and as rj said, it's often the yellow sticky note with the damn password. it's not that complicate weed the vulnerabilities are. so getting simple things right significantly reduces the
9:43 pm
frequency and severity of loss events and that's where we can help spread the word and be a catalyst for a more secure data environment. >> is it your perception that the fear level continues to grow sony, anthem other major corporations. is it the fact that we have insurance that people aren't that worried about it, or is it -- do you really feel there's a new level of fear that needs to be addressed? >> i think that the insurance is still woefully underutilized. i don't think that people are becoming complacent because they've got insurance. i think they're complacent because they're not aware and a lot of people are reassured by their technical advisers, it's absolutely water tithe. well, maybe water tithe in one silo but me a not be the technology for the human error that is the problem.
9:44 pm
so having enterprise risk management that spans silos is a critical ingredient to become more secure. >> if you're running bank of america or mastercard oriental you have large organizations that help manage this. you're running a small or medium size business and i come to you for insurance, what kind of guidance aim going to get, how do i do this when i don't have the large resources relative to the challenge. >> to be honest, large companies -- our ability to provide sufficient capacity for them is really limited. so really is the small and medium companies we can help most. so we have a lot of online training and we have tools which we developed -- deliver with our technology partners to provide information sharing on threats, and it's really making it affordable for smaller companies who have rich data sets and very critical to their future but don't have the resources to fund all of the security apparatus
9:45 pm
that a larger firm might have. >> the missed framework helped in that. by creating different levels of companies based on the level of sophistication of threat you create a benchmarking process that makes it possible for companies small and medium to try to live up to the benchmark, make it possible for them underwrite compared to the benchmark, and that is a very critical park of what the framework did. >> i want to get week in framework in a minute. i want to ask a question. there's a real tension or perceived tension between privacy and cyber security. do you think this is the case? how are you dealing with this? >> well, i do think it's a case that people think there's a tension. i wouldn't agree there actually is in my time in the private sector we saw privacy and security as two sides of the same coin. you can have good privacy without a good security system. you can't have good protection of your customer dat without
9:46 pm
knowing that data is going to be secure. you can't have great cyber security if your employees are not well trained. we built a great team at ge that know how to merge the two mindsets and the two corporate values. at amazon we call dat an issue of customer trust, and customer respect. that's about the respect for the individual. it's their data their dig flit at -- dignity at stake, and this always on, always connect world, we're all sharing data. i'm sharing data right now. i'm very proud, i'm going to get all my numbers in today. so where in the cloud somebody is watching or the computer is watching what i have been doing. i'm incredibly proud of the great work the technology sector has done on these issues but we have to know, as customers,s a citizens,s a individuals, our data will be kept protected secured, respected and treated with the rerespect we expect
9:47 pm
when we could business with these companies and it's not going to end up in the hand of the federal government for no purpose at all, for wanton and reckless collection of data. although rerespect the fact there are national security issues and real threats to this country. the wholesale collection of dat da into the hands of the federal government is not the solution. the center for democracy and technology believes there are solutions and technology can be part of the solutions, solutions around encryption, and can be ways to see, identify, and protect the data, and still achieve the legitimate needs and ends we have to get to for national security and law enforcement. >> is there a limit to how much an individual really wants all these, quote, conveniences being offered to them by using their data versus the privacy that they want feeling, my device is not giving away my whereabouts
9:48 pm
or my -- invading my personal space? >> well, i hear that dichotomy a lot. obviously consumer control, individual control and the control that good companies are already building into their devices, exists and we want customers to take advantage of them. the argument that well, just because i put all my data on facebook doesn't mean i want any privacy, that's not a legitimate argument. i should have the right to engage in a fully engaged digital self digital world without feeling like i should be spied on by my government. >> it's not just the government. you're vulnerable also to folks that are trying to breach all of these folks' businesses to get at information. the other issue is really one about, as i am as a user customer and product and how do you reconcile the fact that my data becomes a product that you're selling but i'm also a customer.
9:49 pm
i'm not sure i -- and i know that when you push agree on the button you've aged to these things but is that -- we don't have an opt out system. should we have an opt out system? >> i think it's more than -- the discussion is so much bigger than opt in and opt out. the state of stewardship that really good companies like the ones here today are engaging in thinking about the respectful use of information, legitimate use of information to serve their customers' needs to create new products. part of the ongoing dialogue itch want to encourage -- you're thinking being this issue and people around the world are thinking this is no longer property rights my data is something i can barter and sell and trade. companies have interest in them and we want to engage this digital world. so we think about this in terms of the digital self. lattin americas have the concept of may data myself.
9:50 pm
my skid space in the online world. i choose to transact. but at the end of the day this is my personal data. some of the most intimate data in the systems of the companies and should be protected. >> so i want to return to the issue of the framework and ask you, maybe starting with brian about how -- do you use the framework and how, and is it helpful to your company? >> as i said earlier, my observations are colleagues and institutions are people at different levels, some sort of figuring out and we're sort of of in implementation and a framework which helps us think through practices going into the commentary that ajay said earlier. peopling -- boards directors are looking for frameworks how to deal with companies. and interestingly enough, last
9:51 pm
week, the board giving my review, and oning there that were not good at cyber security. that's the process where they can remain engaged without getting into the details about frameworks, using this series of principles and how to think about things things you can use to say if you do this you tooth -- ought to be covering this and let the professional does the work, hand to hand combat. people are using it, and people continue to look for ways to say, am i doing this well enough that peter's company will insure me i can protect myself and done the industry standard in some court of law or some proceeding or regulatory proceeding? that babymarking you get when you get the common frameworks is good. >> peter do you have a thought on there is? >> we have helped contribute to the developing of the naic and
9:52 pm
we certainly believe in the effectiveness of the ideas there. they're a great foundation, a necessary but not sufficient conditions. i think that an important element that we have implemented for ourselves is the appointment of a chief technology risk officer reporting to the enterprise chief risk officer as opposed to beg part of the technology organization. i think signature within technology you can't help being co-opted by you own proceed sure. this arriveds objectivity that looks across the organization at the weakest link in the chain weapon also incorporate the naist framework in the underwriting questions way pose to our potential insureds. we hope through that that's goal to really create some standardization, benchmarking. >> do you think we need framework 2.0? >> absolutely. >> and 3 and 4 and 5. it's going to have to be iterative. >> evolving all the time.
9:53 pm
you have a risk road map and you have created -- for everybody to talk the same language in cyber security they were not all talking similar language. it's a really good first step but the other guys are moving too fast. the guys you're trying to protect from are moving every day. right now there are people trying to hack into our companies. right now. and one of those idiots might succeed. that's the fearful part. what to be careful of is being able to stay agile enough to protect yourself and not think that there's one framework to solve everything. >> that's the overall issue is that just a number of agencies and internal parties, external parties, things are moving very quickly, and so where on the real cyber threat, attack transactional fraud,
9:54 pm
information, stuff like that, the dog log has to move -- it's a bit different than you can think harder about this use of information as a company having dat and we're stewardses of data and take it seriously. that's something we can think bat while and get it right. but the aamount of attacks attacks and intrusion and phishing, we have to -- the concept of forcing and sharing a dialogue will. >> i have been are begun to talk about there is in the way that likens it to the development of the road infrastructure in the country. it is a public collaboration. this road is a interstate that is a parkway that wasn't can't go through. here's how you turn, there's where you don't go. that speed limit. and there's law enforcement. our new digital super highway is going to need some rules of the road with no pun intended and the rules are going to evolve as
9:55 pm
the quality of cars and trucks keep improving and private sector should feel free innovate as much as it wants on designing the cooler car and truck and a car that listens to peter resident voice and starts playing his music. but it has to have four wheels driven bay driver with a license, and impressively not 51 different rules for 51 different states but a federal license would have been great. now do you think about it. right? this is all history. we have chance to do this the right way. if you learn everything you did and that's my only point. do that, then nist1.0 is the beginning of nist2.0 and 3.0, and -- >> evolving. >> an interesting analogy on this pace of version release in other areas, in driving regulations and building
9:56 pm
regulations. those of which we watch closely, and in super storm sandy, we had to pay over $2 billion of claims to businesses and infrastructure that got damaged. and there had been a flood in the same area 40 years ago and the building code changed about 2007 about 22 years after the first flood, and to move mechanicals from the basement above the flood line, and underwriting guidelines can change much more rapidly than the regulations can. so we can perform an interesting bridging role between version releasees. the feedback the learning, the constant litany of daily claims. we have claims every day that teach us something. >> well, in fairness, we're not -- government is not getting that kind of daily feedback but we can get the feedback loop from you and then revise the framework, knowing that the adoption right now we're focused
9:57 pm
very much on adoption because as soon as we can have using,ing a you said the rosetta storm, the same language where it's upick -- is this an unlimited pool of money that needs to be thrown at this snow how do you know you're doing the right amount? >> i don't think any of us is doing enough. the guys at the other end are doing much more than all of us do. i you're a bad actor, the mafia group versus a young kid versus a state government, none of us can spend enough money individually. that's why this public private partnership is important. the federal government is resources that are used in many different aspects we could benefit from and we could benefit to what the federal government could do. so i don't think any of us spend enough.
9:58 pm
i don't -- a sell a global network that people use because they rely on security and safety. how much money is enough to protect that? i don't know. >> as i mentioned -- people ask this question, there's 230,000 people in our company and i can know where everyone and is how much they cost. the one thing i never ask is the group that protects us, what they're going to spend because they have to spend what is necessary because the rest of the company doesn't operate if there's a problem there. so there's a return on it. we're open today and operating and protecting our customers' data protecting the finance services system protecting trust in the public and the financial services system. i we lose the confidence in the mobile phone we don't have people process the transactions that go through the device. we would have to hire 50,000 people to do it. so it's not something that you can it there and say okay, if
9:59 pm
spend a dollar 1.50 in return you. spend it because eight the whole infrastructure. >> renee i have a question for you, changing the subject. she intel commercials about scientists and technicians are some of my favorites and we -- the work force is a priority of the department of commerce. that do we need to do? how do we train people to fill the open cyber security jobs? how can you help us inspire people to be interested in this area? >> thank you madam secretary, for the easy question. i was going to tell you how we implemented the framework and i was so excited. >> you can tell us that too. >> i'll have background and half will be women. so before i go into that -- [cheering] >> before i go into that, i want to -- >> we have to remember we have students here. >> exactly. >> i want to inspire them.
10:00 pm
we have job ares to you. please stay in the computer science department. like the gentleman on the stage -- intellectual property companies and we have all collaborated on the framework, and one of the things i think uniquely we're all in different phases of using the framework and the language is super important. we published a white paper because we're actually through the other end of an implementation of it ask i think can be a blueprint for others so i wanted to put that out there so other people knew that we this week published what actually we did with our seven month journey and how it worked. and the other thing we have done that i'm southwesterly proud of the team for doing is we -- i'm very proud of the team is we wrote in a supplier agreement that we want them to consider the framework and in all good sense


info Stream Only

Uploaded by TV Archive on